Enable BitLocker Drive Encryption in Windows Server 2012

How do I enable Bitlocker drive encryption in Server 2012?

BitLocker can be useful on servers, especially in remote branch offices where there’s often a lack of physical security. Bitlocker drive encryption in Windows Server 2012 works a little differently compared to how it works in Windows 8 in that BitLocker must be installed as a feature before it can be configured. In this article, I’ll describe how to install BitLocker on Windows Server 2012 and how to configure encryption for your server’s hard drives.

Install BitLocker in Windows Server 2012

Log on to Windows Server 2012 as a local administrator.

Right-click on the PowerShell icon on the desktop Taskbar and select Run as Administrator from the menu.

PowerShell will display a 48-digit recovery password in the window. You should make a note of this immediately and store it for safe keeping.

There are three different types of encryption you can specify: AES128, AES256 or HARDWARE for drives that are Encrypted Drive Hardware compatible. Click here for more information on Encrypted Drive Hardware disks. The –UsedSpaceOnly parameter is new to Windows Server 2012 and Windows 8. It stops BitLocker from encrypting free space, making the initial encryption process much faster.

The –RecoveryPasswordProtector parameter tells BitLocker to generate a 48-bit recovery key automatically, and it will be required to unlock the volume. If your server has a Trusted Platform Module (TPM) chip, specifying the –TPMandPinProtector parameter to utilize the chip for storing the recovery key and to require a PIN to unlock the drive is more secure than using a recovery password.

Check the encryption status of a volume

Notice that PowerShell states that protection is off on the volume where we’ve just enabled encryption. It will take some time for BitLocker to encrypt the used space. The volume is only fully protected when all the data is encrypted. To check the status of BitLocker encryption on a volume, run the following command: manage-bde –status d:

Unlocking encrypted volumes

With the current configuration, someone would manually need to enter the recovery password each time the server is started to unlock the encrypted volume. You can unlock the volume by double-clicking the drive’s icon in File Explorer and then entering the recovery key as prompted or by using the following two PowerShell commands: